WEBINAR:On-Demand

Oracle’s Java technology has become a favorite target of hackers and malware writers over the past few years. In response, the company has released Java updates with increasing frequency. In the most recent update, earlier this week, Oracle patched five vulnerabilities that apparently were missed in an earlier mega-update of 50 patches on Feb. 1.

Thus, it's not surprising that many security experts now recommend either disabling Java in your browser or removing it entirely. Carnegie Mellon University’s CERT Program recently advised, “Unless it is absolutely necessary to run Java in Web browsers, disable it … This will help mitigate other Java vulnerabilities that may be discovered in the future.”

How to Disable Java

A detailed article on Oracle’s Java website offers instructions on how to disable Java 7 in Internet Explorer, Firefox, Chrome and Safari on a variety of platforms:

In Chrome, enter about:plugins in the browser’s address bar, then click “Disable” below the listing for Java, and close and restart the browser to enable the changes.

In Firefox, select “Add-ons” from the Tools pull-down menu (or click on the Firefox button at the top of the Firefox window and then click “Add-ons”), then select “Plugins,” look for the Java listing and click “Disable.”

In Internet Explorer, Java can only be disabled through the Java Control Panel for Windows, which can be found in Windows 7 and Windows Vista by clicking on the Start button, then clicking on the Control Panel option, then entering “Java Control Panel” in the Control Panel Search, and clicking on the Java icon. In Windows XP, click on the Start button, then click on the Control Panel option, then double-click on the Java icon. In Windows 8, click on the Search icon at the bottom right corner of the screen, enter “Java Control Panel," then click on the Java icon. Once you’re in the Java Control Panel, click on the Security tab, deselect “Enable Java content in the browser,” click Apply, then click OK in the confirmation window, and close and restart the browser to enable the changes.

In Safari, select “Preferences” from the Safari pull-down menu, then click “Security,” deselect “Enable Java,” and close the Preferences window.

JavaScript Is Not Java

When you deselect “Enable Java” in Safari’s Preferences window, you may also notice that just below it is a checkbox that allows you to enable or disable JavaScript – and you might be tempted to disable that as well.

Don’t go there.

As Sophos senior security advisor Chester Wisniewski explains, “I don’t know if you’ve ever tried to surf without JavaScript enabled, but you won’t do it for very long before you get frustrated. All those dropdown menus, and interactive games, and password complexity checkers – when you put in a new password and it shows you that strength meter – all those things rely on JavaScript. And JavaScript itself, I don’t want to suggest that it’s necessarily innocent … but that’s not what we’re talking about when we talk about Java.”

As Sophos head of technology Paul Ducklin notes in a blog post on the topic, “JavaScript was originally called Mocha after the coffee drink, because programmers run on coffee, but turned into LiveScript, and finally into JavaScript, probably for marketing reasons to compete with Java. The only real similarity with Java is in the first four characters of the name.”

Java, on the other hand, is a programming language that can be used to write standalone computer applications – or to write applets that, via browser plug-ins, can make Web pages more dynamic. “So you don’t need to remove Java from your computer, and you may have programs on your computer that in fact require Java. … What we’re recommending is that you make sure that it’s not on in your Web browser,” Wisniewski says.

If You Want to Delete Java

Still, if you’d like to remove Java entirely from your computer (and most home users are unlikely to have any need for it), Oracle’s Java website offers the following instructions for uninstalling Java 7 from Mac and Windows PCs:

To uninstall Java 7 from your Mac, click on the Finder icon in your dock, click on the Applications tab on the sidebar, enter JavaAppletPlugin.plugin in the search box, then drag the resulting file to the Trash.

To uninstall Java from Windows 7 or Windows Vista, click Start, select Control Panel, select Programs, click Programs and Features, then select the appropriate program and click Uninstall.

To uninstall Java from Windows XP, click Start, select Control Panel, click the Add/Remove Programs icon, then select the appropriate program and click Remove.

What if You Need Java? Advice for Business Users

Many business users, though, do need to access Java in a Web browser from time to time, for anything from payroll management to Web conferencing. “I doubt that there’s a major corporation anywhere in the world that could just disable Java entirely on their networks,” Wisniewski says. “I wish they could, but it’s unrealistic.”

One solution, Wisniewski says, is to enable Java only in a secondary browser. “If you surf all day with Chrome, then disable Java in Chrome – and leave Java enabled in Firefox or IE,” he says. Then you can safely use Chrome for the vast majority of your browsing, but when you need to go to a site that requires Java, just use the other browser for that one task.

“That way, most of the time, when I’m doing my casual surfing … checking sports scores and stuff, which are the types of websites we see getting compromised … I’m not at risk, because I don’t have it,” Wisniewski says. “And when I have to do something that requires it, I just open up the other browser – and then I don’t use that for my regular surfing.”

An alternate option for users of Firefox, Chrome or Safari is to enable Click to Play. “That automatically blocks Flash and Java from all websites, and then when you go to something that requires it, you get a little puzzle piece … that says, ‘Java object – click to enable,’” Wisniewski says.

For most enterprises, that’s a pretty safe way to proceed. “Instead of turning it off, you could enable Click to Play and do a little educational campaign with your users through e-mail, saying, ‘When you come across websites that may contain Java content, we know Java’s being used for malicious purposes, so we’ve turned this thing on where you have to knowingly choose to run it,’” Wisniewski says.

Enabling Click to Play is relatively straightforward:

To enable Click to Play in Chrome, enter about:settings in the browser’s address bar, scroll down and click on “Show advanced settings,” then click on “Content settings” under Privacy. Scroll down to “Plug-ins,” select “Click to play,” click OK, then close and restart the browser.

To enable Click to Play in Firefox, enter about:config in the browser’s address bar, click on “I’ll be careful, I promise,” then scroll down to “plugins.click_to_play” and double-click on that line (and that line only) to change the value on the right from “false” to “true,” then close and restart the browser.

Whatever you choose to do, Wisniewski says, it’s important to take this threat seriously. “In informal surveys I’ve done in the lab, I’ve seen that upwards of 90 percent of machines that are being attacked in drive-bys are being hit by Java,” he says. “So this isn’t a small problem … but at the same time, we know that you can’t just panic and remove it – so look carefully at what you can do, and do the best you can to minimize the risk.”

Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at jeff@jeffgoldman.com.